OWASP AppSec Latam 2013

Today, all the well-known companies have lots of Web applications with vulnerabilities such as INJECTIONS; somehow they remain confident about them, WHY??

Well, this is mainly because they think they have a silver bullet called Web Application Firewall (WAF). This device is like IPS or IDS. WAF catches the requests and analyzes them looking for some malicious code like SQL, JAVA Script, LDAP, etc. If it finds any of them, the WAF blocks the request and sends an alert or just drops the request.

This is the ideal scenario but, as it always happens with any defense tool, there are lots of ways to bypass them. In this case, the way is using a new framework that is called ByWaf. ByWaf has the ability to bypass a WAF but also it can be a complete tool to exploit vulnerability in web applications.

The idea came three months ago, when I was pentesting a Web Application and found that it had a WAF, and that there were a few tools that could be useful for this objective.

A couple of weeks after, I found some other people with the same issue like mine. We got along and agreed to make this new framework for the OWASP community.

The topics covered in this talk are:

About me
Some references about me in the battle field in Web Application Penetration Testing and how I heard from OWASP?

About OWASP (real life)
How companies, consultants, hackers and so on, use OWASP on a daily basis. What can we find into it?

What is an OWASP Project?
Concepts about OWASP projects, types, how to get into them.

What is WAF?
Colors, flavors, and more about them.

How it works?
How the devil works trying to give us a hard time.

How to detect WAFs?
From console to some tools.

How to bypass them?
Some ways to make it look like fool

ByWaf Project
Past
Present
Future

Demo